RQ Threat Advisory Report: HAFNIUM/Exchange Zero-Days

On March 2, 2021, Microsoft Security Response Center released updates related to vulnerabilities affecting on-premises deployments of Microsoft Exchange Server 2013/2016/2019. Microsoft also revealed details around active exploitation of these vulnerabilities using zero-day exploits. The exploited vulnerabilities span several classifications, including server-side request forgery (SSRF), deserialization, and a set of arbitrary file write vulnerabilities; all effecting on-premises Exchange deployments. Each of these vulnerabilities had an assigned CVSS base score of 7.8 or higher, placing their severity ratings within the High and Critical range.


In the exposure of the active exploitation of these vulnerabilities, Microsoft provided attribution details for the activity. Per their research, the activity is associated with a state-sponsored group they have named “HAFNIUM”. This threat group has reportedly been actively targeting various industries within the United States, ranging from law firms to defense contractors. This threat group has historically been associated with exploitation of vulnerabilities in publicly accessible services, and specific targeting of Office 365 environments. HAFNIUM also uses readily available open-source tools for their attacks, including Covenant, Nishang, PowerCat, and other common offensive security tools.


The ReliaQuest Threat Management Team is actively collecting, categorizing, and vetting Indicators of Compromise (IoCs) related to this campaign. Known IoCs are being continuously ingested into the GreyMatter Intel platform for use in investigations by the ReliaQuest SOC and ReliaQuest GreyMatter customers. We have proactively engaged with our customers so they understand the risk that this campaign poses, as well as building of automated retroactive hunts for known indicators of compromise for those affected.  The RQ Threat Advisory Report: HAFNIUM/Exchange Zero-Daysoutlines the vulnerability and its exploitation in more detail including IoCs (indicators of compromise) and GreyMatter detection capabilities mapped to MITRE ATT&CK and the Kill Chain.

More Articles

3 Signs It’s Time to Rethink Your Security Operations Strategy

Today, the security industry is over-saturated with technologies and tools. While many enterprises have established or are setting a foundation for their security operations with Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR), there are countless point solutions arising to extend them, from SOAR to CASB, UEBA and more. Although each […]

Best Practices for Increasing Visibility Across Cloud and SaaS Applications

As enterprises are accelerating the adoption of digital transformation, the attack surface is rapidly expanding into cloud and multi-cloud environments.  In order to effectively detect and respond to threats, visibility that spans across on-premises and cloud infrastructure is a must.  How can you gain visibility into cloud and SaaS applications? 1. Explore new solutions to […]

Debunked: Three Myths About Security Automation

“Vendor sprawl” is hitting a peak, as Dark Reading noted last October. There are too many security tools out there, with too little integration among them, generating too much noise for security teams to analyze and act on. We’ve seen first-hand the challenges that automation and data “noise” create for security teams: For example, they […]